Solved

Webmail Redirect Quit Working

Posted on 2006-11-20
13
398 Views
Last Modified: 2010-03-06
Our bridgehead server (Exchange 2000) redirects to a secure port on another Exchange 2000 server for webmail access. We used to only have authenticate once to gain access. Now we are prompted twice. I verified that the method of authentication and the redirect settings are still in place and they are. We are also getting a cerificate window popping up before the login window which never used to happen before. Has anybody had any experience with this? Please advise. Thanks!
0
Comment
Question by:gfcnetwork
  • 7
  • 6
13 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
When the certificate prompt comes up, what does it say is the reason for the failure? Has your certificate expired?

Simon.
0
 

Author Comment

by:gfcnetwork
Comment Utility
It is saying that the certificate has expired or is not valid. Would that be the cause of the lack of redirect?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
There is a good chance that would break something. You need to get the certificate renewed.

What do you mean by redirect? Are you using a frontend/backend scenario?

Simon.
0
 

Author Comment

by:gfcnetwork
Comment Utility
I renewed the certificate and now, when testing from within the network, webmail prompts twice for authentication. Once at the "external" web address for our webmail and once at the server that hosts the mailboxes. From outside the network, only one login is needed. Is there an explanation for why this changed?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Are you using a frontend/backend scenario? Something else that is proxying the connection?

Simon.
0
 

Author Comment

by:gfcnetwork
Comment Utility
We have a bridgehead server and that server is acting as the first point of contact. That server redirects to another server that actually holds the mailbox store. Is that the information that you are looking for? Thanks!
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You haven't answered my question.

Is this a frontend/backend scenario?
Is the server an Exchange server or something else?
A bridgehead server could be anything.

Simon.
0
 

Author Comment

by:gfcnetwork
Comment Utility
I do not believe we are not using a frontend/backend scenario. I would be able to access the server by host name if needed to get to webmail. If you could clarify what you are looking for that would be great. What exactly makes it a frontend/backend setup?
Yes, both servers previously referenced are Exchange servers
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
In a frontend/backend scenario you have a single server that provides OWA for all of the backend servers. This is configured as a frontend server, which is simply a matter of enabling an option in ESM. With Exchange 2000 the frontend server had to be an Enterprise Edition server - which meant their deployment wasn't as widespread.

If you do not have a frontend server, but users hit the first server for OWA access, then Exchange will attempt to redirect the user to the correct server. The redirect will be to the server's real name. That means that the server's real name must be resolvable on the internet.

In a frontend/backend scenario the user is not redirected and you don't have to worry about the server's real name resolving on the internet. It allows you to use an alias for OWA access and have an SSL certificate issued to the alias.

I don't deploy multiple Exchange servers without a frontend server because the redirection causes problems. If the site has used .local then it cannot be done. If the site has used a domain name that isn't theirs, then it cannot be done. If the site only has one IP address, then it cannot be done.

Is your backend server accessible directly over the internet by its real name?

Simon.
0
 

Author Comment

by:gfcnetwork
Comment Utility
We are not using a true frontend/backend scenario. We are using the second scenario you describe. We have a web address that is hit by all users, and then users are redirected to the server that actually holds their mailbox. We have 6 servers that this could be. We have an SSL cert installed on both the server that users hit first and on each "mailbox" server.

We are able to go straght to the "mailbox" server by name.

The issue that we are trying to resolve is that no second authentication used to be needed for one of our Exchange servers, now it is, but only if trying to reach it from within our network. From the general Internet, no second authentication is needed for this particular server. On our other 5 servers, a second authentication is needed from the Internet.

I am trying to figure out why we suddenly need the second authentication from within our network for the one server and why from the Internet the same server does not need the second authentication, but all of our other ones do.

We have a mix of Exchange 2000 and Exchange 2003. The server that needs a second authentication from within our network, but not from the Internet is running Exchange 2000, fully patched.

I hope that I didn't confuse things more. Any ideas would be great! Thanks!
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Any reason you are not using a frontend/backend? Considering that you have a mixed site you could easily stand-up a single standard Exchange 2003 server to act as a frontend.

As for your question - I have no idea. I do not deploy that scenario. As soon as the client introduces a second Exchange mailbox server it is almost mandatory to have a frontend server. It also saves having multiple servers exposed to the internet.

Considering what is happening, I am surprised that you were only getting a single prompt, because as you are not using a frontend/backend scenario there is nothing to pass the credentials across. You may well have had it working despite the configuration, not because of something that you have done, and a recent security update in either windows or Exchange, either server side or client side has fixed the flaw and broken this functionality.

Simon.
0
 

Author Comment

by:gfcnetwork
Comment Utility
This is just how the system was set up when I inherited it. Do you have any links for articles on how to implement the frontend/backend scenario. Would it also be able to be used as a bridgehead or would I need a seperate server for that?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
This is the official white paper on frontend/backend:

http://www.microsoft.com/downloads/details.aspx?familyid=E64666FC-42B7-48A1-AB85-3C8327D77B70&displaylang=en

You can use a frontend as the single point of entry - the bridgehead server. That is often how I deploy frontend servers - I use the for everything that comes in to the Exchange org - OWA, RPC over HTTPS, Mobile, SMTP, POP3 etc.

A frontend needs to be the same or higher than your backend servers, so even if you have only the one Exchange 2003 backend server you need to have your frontends on the Exchange 2003 version.

Simon.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now